Yibin Dai and Shaozhen Chen
State Key Laboratory of Mathematical Engineering and Advanced Computing, Zhengzhou 450001, China
Zhengzhou Information Science and Technology Institute , Zhengzhou 450001, China
Abstract. PRIDE is a lightweight block ciphers designed by Albrecht et al., appears in CRYPTO 2014. The designers claim that the construction of linear layers is nicely in line with a bit-sliced implementation of the Sbox layer and security. In this paper, we find 8 2-round iterative related-key differential characteristics, which can be used to construc-t 18-round relaconstruc-ted-key differenconstruc-tials. Then, by discussing construc-the funcconstruc-tion gr(1), we also find 4 2-round iterative related-key differential characteristics with ∆gr(1)(k1,2) = 0x80 and 4 2-round iterative characteristics with ∆g(1)r (k1,2) = 0x20 which cause three weak-key classes. Based on the related-key differentials, we launch related-key differential attack on full PRIDE. The data and time complexity are 239chosen plaintexts and 260encryptions, respectively. Moreover, by using multi related-key differentials, we improve the cryptanal-ysis, which requires 241.4 chosen plaintexts and 244 encryptions, respectively. Finally, by using 17-round related-key differentials, the cryptanalysis requires 234plaintexts and 253.7 encryptions. These are the first results on full PRIDE.
Keywords: Cryptanalysis ; Block cipher; PRIDE; Iterative characteristics; Related-key differential
1
Introduction
Due to the rapidly growing impact of mobile phones, smart cards, RFID tags and sensor networks, lightweight cryptography which is suitable for such resource-constrained devices becomes more and more important. During the past few years, a number of lightweight block ciphers have been developed, including but not limited to PRESENT[7], PRINTcipher[12], LED[10], LBlcok[13], PRINCE[8], NSA standard SIMON and SPECK[2] etc.
PRIDE[1] is designed by Albrecht et al. in CRYPTO 2014, which significantly outperforms all existing block cipher of similar key sizes, with the exception of SIMON and SPECK. Both in the speed and memory, PRIDE is comparable to SIMON and SPECK. And so far, only Jingyuan Zhao , Xiaoyun Wang et al. give an analysis result with differential attack[14].
Based on related-key attack[3] and differential cryptanalysis[4], the related-key differential attack was introduced by Kelsey et al.[11] in 1996, in which it is assumed that the adversary has control over the key difference, along with the control over plaintext/ciphertext difference. Since its introduction, the related-key differential attack was used to break reduced-round variants of various block ciphers. Then, combined with other cryptanalysis such as boomerang attack, rectangle attack, impossible differential attack et al., there are many results, including AES[5,6], KASUMI[9] et al..
In this paper, we focus on the cryptanalysis of the new block cipher PRIDE against key attack. By investigating the key schedule algorithm, we can find 8 2-round iterative related-key differential characteristics. Then, we give a discussion ofg(1)r . Based on the discussion, there
exists 4 2-round iterative related-key differential characteristics with∆gr(1)(k1,2) = 0x80, and 4
weak-key classes with 2126.4or 2122keys. All the 2-round iterative characteristics can extend to 18-round related-key differentials. Moreover, based on the 18-round related-key differentials and some observations of linear layer, we present an attack on full PRIDE with 239chosen plaintexts and 260 encryptions. Furthermore, by using multiple related-key differentials, we improve the cryptanalysis which requires 241.4 plaintexts and 244 encryptions. Besides, by using 17-round related-key differentials, the cryptanalysis requires 234 plaintexts and 253.7 encryptions. These are the first results on full PRIDE. Our results are summarized and compared to the previous results in Table 1.
Table 1.Summary of Attacks on PRIDE
Cryptanalysis Total Rounds Attack Rounds Data Times Reference
Differential 20 18 260CP 264 [14]
Related-key Differential 20 20 239CP 260 5.2
Related-key Differential 20 20 241.4CP 244 5.2 Related-key Differential 20 20 234CP 253.7 5.3
The rest of this paper is organized as follows. We introduce the notations in Section 2, and give a brief description of PRIDE in Section 3. Section 4 shows 4 2-round iterative related-key differential characteristics of PRIDE as well as others characteristics under 3 weak-key classes. We describe related-key differential attack on full PRIDE in Section 5. Finally, we concludes this paper.
2
Notations
The following notations are used in this paper:
Ir the input of ther-th round
Xr the state after⊕key of ther-th round
Yr the state after S-box of ther-th round
Zr the state afterP-layer of ther-th round
Wr the state afterM-layer of ther-th round
Or the output of ther-th round
X[n1, . . . , nt] then1, . . . , nt-th nibbles of state
3
Description of PRIDE
PRIDE is a SPN structure block cipher with 64-bit block cipher and 128-bit key. The round function consists of three operations: The state is XORed with the round key, fed into 16 paralled 4-bit Sboxes and then permuted and processed by the linear layer, see Fig.1. The cipher has 20 rounds, of which the first 19 are identical, and linear layer of the last round is omitted, see Fig.2.
The PRIDE S-box is given in Table.2.
Table 2.S-box of block cipher PRIDE
S S S S S S S S S S S S S S S S
L0 L1 L2 L3
)) ( ( 1 1
k f P i
L P
P -1
R ' R
Fig. 1.The Round Function of PRIDE
P -1 R R R R R
) (1 1k
f
0
k f3(k1) f18(k1) f19(k1) f20(k1)
' R )
(1 2 k
f
0
k
m P c
Fig. 2.Overall structure of PRIDE
The linear layerL of block cipher PRIDE is divided into 3 parts: a permutation layerP, a matrix layerM and another permutation P−1 which is the inverse of P. The matrix layer M showsM =L0×L1×L2×L3. The linear layer is defined as following :
L:=P−1◦(M)◦P The detailed definitions ofP, P−1, L
i are in Appendix.
The 128-bit master keyK of block cipher PRIDE is divided into two 64-bit parts (k0||k1).
k0is used for pre-whitening and post-whitening, whilek1 is divided into 8 8-bit words
k1=k1,1||k1,2||k1,3||k1,4||k1,5||k1,6||k1,7||k1,8 and used to generate the subkeysfr(k1).fr(k1) is defined as follows:
fr(k1) =k1,1||gr(1)(k1,2)||k1,3||gr(2)(k1,4)||k1,5||gr(3)(k1,6)||k1,7||gr(4)(k1,8)
as the subkey derivation function with four byte-local modifiers of the key as
g(1)r (x) = (x+ 193r) mod 256
g(2)r (x) = (x+ 165r) mod 256
g(3)r (x) = (x+ 81r) mod 256
g(4)r (x) = (x+ 197r) mod 256
which simply add one of four constants to every other byte ofk1.
4
Related-key differential attack on PRIDE
In this section, by investigating the key schedule of block cipher PRIDE, we present 2-round itera-tive related-key differential characteristics, which can be used to constructed 18-round related-key differential characteristics. And we can find 8 2-round iterative related-key differential charac-teristic. Then, we give a discussion of g(1)r , and find 4 2-round iterative related-key differentials
4.1 Related-key Differential Characteristics of PRIDE
Because there are four non-linear functiongr(i)(i= 1,2,3,4) in key schedule algorithm, we firstly
consider related keys which has no difference occurred in the input ofgr(i). Assume that given a
keyK=k0||k1 and the related keyK′ =k0||k′1, where
k′
1=k1⊕0x88||k2||k3||k4||k5||k6||k7||k8
, that is,∆k1=k1⊕k1′ = 0x88||0||0||0||0||0||0||0 which lead to the following equation:
∆fr(k1) = 0x88||0||0||0||0||0||0||0, r= 1, . . . ,20
At the same time, we can get
∆P−1(f
r(k1)) = 0x80||0||0x80||0||0||0||0||0, r= 1, . . . ,20
,so that all the subkeys are identical.
Theorem 1. Given the two keys (K, K′) presented above, then there exists 2-round iterative
related-key differential characteristics holding with probability 2−4.
Proof. According to the difference distribution of PRIDE S-box, thatS(0x8) = 0x8 holds with
probability 2−2, which can be used to find 2-round iterative related-key differential characteristics with probability 2−4, see Table.3.
Table 3.2-round iterative related-key differential characteristics
∆Ir 1000 0000 0000 0000 1000 0000 0000 0000 1000 0000 0000 0000 0000 0000 0000 0000 ∆Xr 0000 0000 0000 0000 0000 0000 0000 0000 1000 0000 0000 0000 0000 0000 0000 0000 ∆Yr 0000 0000 0000 0000 0000 0000 0000 0000 1000 0000 0000 0000 0000 0000 0000 0000 ∆Zr 0000 0000 1000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 ∆Wr 1000 1000 0000 1000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 ∆Ir+1 1000 0000 0000 0000 1000 0000 0000 0000 0000 0000 0000 0000 1000 0000 0000 0000 ∆Xr+1 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 1000 0000 0000 0000 ∆Yr+1 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 1000 0000 0000 0000 ∆Zr+1 0000 0000 0000 1000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 ∆Wr+11000 1000 1000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 ∆Ir+2 1000 0000 0000 0000 1000 0000 0000 0000 1000 0000 0000 0000 0000 0000 0000 0000
So there exists 2-round iterative related-key differential characteristics under∆K: 8000800080000000−→1r 8000800000008000−→1r 8000800080000000,
where ∆k0 = 0 and ∆k1 = 8800000000000000. Then, according to Table.3, there are 2 active S-box in the 2-round path, so the probability of the 2-round iterative related-key differential characteristics is 2−4.
The 2-round iterative related-key differential characteristics shows that there are 2 S-boxes in every two rounds. So that we also can consider the characteristics: one round has non active S-box, another has 2 S-boxes. In fact, there exists such 2-round iterative related-key differential characteristics with∆k1= 8800000000000000:
8000800000000000−→1r 0000000000000000−→1r 8000800000000000,
which can be used to construct 17-round or 18-round related-key differentials and then lead to an attack on full PRIDE.
Table 4.8 2-round iterative characteristics 2-round characteristics ∆P−1(fr(k
1)) ∆fr(k1) 8000 8000 8000 0000−→2r 8000 8000 8000 0000 8000 8000 0000 0000 8800 0000 0000 0000 0800 0800 0800 0000−→2r 0800 0800 0800 0000 0800 0800 0000 0000 4400 0000 0000 0000 0080 0080 0080 0000−→2r 0080 0080 0080 0000 0080 0080 0000 0000 2200 0000 0000 0000 0008 0008 0008 0000−→2r 0008 0008 0008 0000 0008 0008 0000 0000 1100 0000 0000 0000 8000 8000 0000 0000−→2r 8000 8000 0000 0000 8000 8000 0000 0000 8800 0000 0000 0000 0800 0800 0000 0000−→2r 0800 0800 0000 0000 0800 0800 0000 0000 4400 0000 0000 0000 0080 0080 0000 0000−→2r 0080 0080 0000 0000 0080 0080 0000 0000 2200 0000 0000 0000 0008 0008 0000 0000−→2r 0008 0008 0000 0000 0008 0008 0000 0000 1100 0000 0000 0000
Corollary 1 Given the two keys(K, K′)presented above, then there exists2n-round related-key
differential characteristics holding with probability 2−4n
.
It is obviously that if 2−4n >2−64, the related-key differential characteristics can be used to attack on block cipher PRIDE. Because of 2n= 20 for PRIDE block cipher, the related-key differential characteristics can apply to cryptanalyze on full PRIDE.
4.2 Others iterative Characteristics
Based on the analysis in Section 4.1, by changing the position of the input difference and key difference, there also exists others 2-round iterative related-key differential characteristics with probability 2−4. However, when it changes the position, we find that only first 16-bit of k
1 is nonzero, this means that the input difference of gr(1) is nonzero. In order to keep iterative
characteristics holding, it requires every round subkeys identical. Therefore, we firstly give a discussion ofgr(1).
Assume that key difference occurs ink1,2and∆k1,2=δ, the difference after the functiongi(1)
is δi, i = 1, . . . ,20. The 2-round iterative characteristics requires the round subkeys identical,
that is δ1 = δ2 =· · · =δ20. We have computationally generated all differences and values for
k1,2, see Table 5.
Table 5. Key difference and value forg(1)r
∆k1,2∆g(1)r (k1,2) key values number of key 0x20 0x20 0x0-0xb, 0x20-0x2b, 0x40-0x4b, 0x60-0x6b, 12×8 = 96
0x80-0x8b, 0xa0-0xab, 0xc0-cxb, 0xe0-0xeb, 0x80-0x8b, 0xa0-0xab, 0xc0-cxb, 0xe0-0xeb
0x80 0x80 0x0-0xff 256
0xa0 0xa0 0x0-0xb, 0x20-0x2b, 0x40-0x4b, 0x60-0x6b, 12×8 = 96 0x80-0x8b, 0xa0-0xab, 0xc0-cxb, 0xe0-0xeb
0x60 0x20 0x3f,0x5f,0xbf,0xdf 4
0xe0 0x20 0x1f,0x7f,0x9f,0xff 4
Table 5 shows that there are 5 cases meeting the condition that all round subkeys are identical. But the difference 0xa0 can not be used to construct the 2-round iterative related-key differential characteristics with probability 2−4. When the input difference ofg(1)
r is nonzero, the 2-round
iterative related-key differential characteristics are presented in Table 6.
Table 6. Other 8 2-round iterative characteristics
2-round characteristics ∆P−1(fr(k1)) ∆fr(k1)
0000 8000 8000 8000−2r→0000 8000 8000 8000 0000 8000 8000 0000 0880 0000 0000 0000 0000 0080 0080 0080−2r→0000 0080 0080 0080 0000 0080 0080 0000 0220 0000 0000 0000 8000 8000 8000 0000−2r→8000 8000 8000 0000 8000 0000 8000 0000 8080 0000 0000 0000 0080 0080 0080 0000−2r→0080 0080 0080 0000 0080 0000 0080 0000 2020 0000 0000 0000 0000 8000 8000 0000−2r→0000 8000 8000 0000 0000 8000 8000 0000 0880 0000 0000 0000 0000 0080 0080 0000−2r→0000 0080 0080 0000 0000 0080 0080 0000 0220 0000 0000 0000 8000 0000 8000 0000−2r→8000 0000 8000 0000 8000 0000 8000 0000 8080 0000 0000 0000 0080 0000 0080 0000−2r→0080 0000 0080 0000 0080 0000 0080 0000 2020 0000 0000 0000
under the weak-key class with ∆k1,2 = 0x20 which has 2126.4(= 12×8×2120) keys, or with
∆k1,2= 0x60,0xe0 which has 2122(= 4×2120) keys, See Table.5.
All the 2-round iterative related-key differential characteristics presented above can extend to 18-round related-key differentials which lead to the attack on full PRIDE.
5
Key Recovery of Block Cipher PRIDE
In this section, we firstly give some observations which can be used to filter the data. Then, we present an attack on full PRIDE using 241 chosen plaintexts and 260 encryptions. Besides, by using multiple related-key differentials, the cryptanalysis requires 241.4chosen plaintexts and 244 encryptions. Finally, if use 17-round related-key differentials, the complexity of the cryptanalysis is 234 chosen plaintexts and 253.7 encryptions.
5.1 Some Observations
Observation 1 If the input difference ofL−1
0 is∆W = (∗000 ∗000 0000 ∗000), then its output
difference is ∆Z = (0000 0000 ∗000 0000) with probability 2−3. If the input difference of L−1
3
is∆W = (∗000 ∗000 0000 ∗000), then its output difference is∆Z = (0000 0000 ∗000 0000)
with probability2−3.
SinceL−1
0 (∗000∗000 0000∗000) = (∗000∗000∗000∗000), and (*000 *000 *000 *000)=(0000 0000 *000 0000) with probability 2−3.L−1
3 situation is similar asL
−1 0 .
Observation 2 If the input difference ofL−1
1 is∆W = (0000 0∗00 0000∗ ∗00), then its output
difference is ∆Z = (0000 0000 ∗000 0000) with probability 2−2. If the input difference of L−1
2
is∆W = (0∗00 0000 ∗ ∗00 0000), then its output difference is∆Z = (0000 0000 ∗000 0000)
with probability2−2.
Since∆ZT =L−1
1 (∆W) = (0000 00∗ ∗ ∗ ∗ ∗0 0000), where∆W = (0000 0∗00 0000 ∗ ∗00), it can construct a linear equation set as follows:
(
∆W[6]⊕∆W[13] = 0
∆W[6]⊕∆W[14] = 0 (1)
If the 2 three equations are satisfied,∆Zr= (0000 0000 ∗000 0000). And the probability is 2−2.
The proof ofL−1
2 is similar asL
−1 1 .
Observation 3 If the input difference ofL−1
0 is∆W = (∗000 ∗000 0000 ∗000), then its output
difference is ∆Z = (∗000 ∗000 0000 0000)with probability 2−2. If the input difference of L−1
3
is∆W = (∗000 ∗000 0000 ∗000), then its output difference is∆Z = (∗000 ∗000 0000 0000)
SinceL−1
0 (∗000∗000 0000∗000) = (∗000∗000∗000∗000), and (*000 *000 *000 *000)=(*000 *000 0000 0000) with probability 2−2.L−1
3 situation is similar asL
−1 0 .
Observation 4 If the input difference ofL−1
1 is∆W = (∗00∗ ∗00∗ ∗000∗000), then its output
difference is ∆Z = (∗000 ∗000 0000 0000)with probability 2−4. If the input difference of L−1
2
is∆W = (∗00∗ ∗00∗ ∗000 ∗000), then its output difference is ∆Z= (∗000 ∗000 0000 0000)
with probability2−4.
Since∆ZT =L−1
1 (∆W) = (∗ ∗ ∗0 ∗ ∗ ∗0 ∗ ∗00 ∗ ∗00), where∆W = (∗00∗ ∗00∗ ∗000 ∗000), it can construct a linear equation set which has simplified as follows:
∆W[1]⊕∆W[8] = 0
∆W[1]⊕∆W[9] = 0
∆W[4]⊕∆W[5] = 0
∆W[5]⊕∆W[13] = 0
(2)
If the 4 three equations are satisfied,∆Zr= (∗000 ∗000 0000 0000). And the probability is 2−4.
The proof ofL−1
2 is similar asL
−1 1 .
5.2 Key-Recovery Attack By Using 18-Round Path
Key-Recovery with One characteristics Based on the 2-round iterative characteristics
8000800080000000−→2r 8000800080000000, we can obtain 18-round related-key differential char-acteristics with probability 2−36 with∆k
1= 880000000000000: 8880000000000000 P−
1 ,⊕∆k0
−−−−−−−→8000800080000000−−→18r 8000800080000000 We add 2-round after the characteristics (see Table.7), and analyze the full PRIDE.
Table 7.Cryptanalysis on Full PRIDE
∆I19 1000 0000 0000 0000 1000 0000 0000 0000 1000 0000 0000 0000 0000 0000 0000 0000 ∆X19 0000 0000 0000 0000 0000 0000 0000 0000 1000 0000 0000 0000 0000 0000 0000 0000 ∆Y19 0000 0000 0000 0000 0000 0000 0000 0000 **** 0000 0000 0000 0000 0000 0000 0000 ∆Z19 0000 0000 *000 0000 0000 0000 *000 0000 0000 0000 *000 0000 0000 0000 *000 0000 ∆W19*000 *000 0000 *000 0000 0*00 0000 **00 0*00 0000 **00 0000 *000 *000 0000 *000 ∆I20 *00* 00*0 0000 0000 *00* 0*00 0000 0000 00*0 00*0 0000 0000 **0* 0*00 0000 0000 ∆X20 *00* 00*0 0000 0000 *00* 0*00 0000 0000 00*0 00*0 0000 0000 **0* 0*00 0000 0000 ∆Y20 **** **** 0000 0000 **** **** 0000 0000 **** **** 0000 0000 **** **** 0000 0000
⊕∆k0 **** **** 0000 0000 **** **** 0000 0000 **** **** 0000 0000 **** **** 0000 0000 ∆C **00 **00 **00 **00 **00 **00 **00 **00 **00 **00 **00 **00 **00 **00 **00 **00
The attack procedure is as follows:
1. Data Collection. Encrypt 238pairs of plaintexts with a difference 0x8880000000000000.
For the 238 pairs of ciphertexts, the adversary chooses the pairs that satisfy the output difference in table 6. There remains 26(= 238×2−32) pairs.
2. Key Recovery.
(b) Decrypt the remaining pairs through L−layer. According to Observation 1 and 2, the probability satisfied the conditions∆Z19 is 2−10(= 2−3×2−3×2−2×2−2). Therefore, there remains 2−14×2−10= 2−24pairs.
(c) Guess 36-bitk0[3,4,7,8,11,12,15,16] and (M◦P)−1(f20(k1))[9]. Decrypt the remaining pairs, and check if the output difference of∆X19[9] is 0x8. On average 2−24×2−4= 2−28 pair data remains. And if the remaining pairs is greater than 2, the corresponding key is right.
(d) Exhaustively search the rest 60-bit information ofk1which are not guessed in the former steps.
Complexity analysis. For the data collection step, there requires 239 chosen plaintexts, and
239encryptions. Step (a) requires 2×26×232×1/20 = 235 encryptions. Step (b) only executes linear layers, we omit here. Step (c) requires 2×232×2−24×236×1/20 = 241 encryption. In step (d), there are 60-bit information ofk1which are not guessed, so it requires 260encryptions.
Therefore, the attack requires 239chosen plaintexts and 260encryptions.
Key-Recovery with Multiple Characteristics Due to the iterative property of related-key
differentials, there are two cases which can be used to cryptanalyze PRIDE for the same related keys. For example, with the related keys satisfied∆k1= 880000000000000, the two cases are as follows:
Case 1. 8000800080000000−→1r 8000800000008000−→1r 8000800080000000
Case 2. 8000800000008000−→1r 8000800080000000−→1r 8000800000008000,
which lead to two related-key differentials: 8880000000000000 P−
1 ,⊕∆k0
−−−−−−−→8000800080000000−−→18r 8000800080000000 8808000000000000 P−
1 ,⊕∆k0
−−−−−−−→8000800000008000−−→18r 8000800000008000
For each of the cases, apply the attack procedure presented in section 5.2. On one hand, for Case.1, it needs to guessk0and (M◦P)−1(f20(k1))[9]. On the other hand, forCase.2, it needs to guessk0 and (M◦P)−1(f20(k1))[13]. Note that the 64-bitk0 are common, so there are 56-bit
k1 which are not guessed. Therefore, by using the two cases, the attack requires 2×239 chosen plaintexts and 256encryptions.
Furthermore, if we use more related keys, the time complexity of the attack can be reduced. For example, we chosen another related keys satisfied∆k1= 440000000000000, there are 2 more cases:
Case 3. 0800080008000000−→1r 0800080000000800−→1r 0800080008000000
Case 4. 0800080000000800−→1r 0800080008000000−→1r 0800080000000800
At the same times, two nibbles key (M ◦P)−1(f20(k1))[10,14] need to be guessed and then 48-bit k1 which are not guessed. Therefore, by using the two more cases, the attack requires 4×239= 241 chosen plaintexts and 248 encryptions.
The best time-data trade-off method requires 5 cases which lead to an attack on full PRIDE using 5×239= 241.4 chosen plaintexts and 244 encryptions.
5.3 Key-Recovery Attack By Using 17-Round Path
In this section, we recover the key by using another 2-round iterative related-key differential characteristics8000800000000000−→2r 8000800000000000, which lead to a 17-round (round 2-18) related-key differential with probability 2−32with∆k
We add 1-round before the characteristics and 2-round after the characteristics (see Table.8), and then analyze the full PRIDE. Here, we omit the initial permutationP−1-layer.
Table 8.Cryptanalysis on Full PRIDE
∆I1 **** 0000 0000 0000 **** 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 ∆X1 **** 0000 0000 0000 **** 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 ∆Y1 1000 0000 0000 0000 1000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 ∆Z1 1000 1000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 ∆W1 1000 1000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 ∆I2 1000 0000 0000 0000 1000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 ∆I19 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 ∆X19 1000 0000 0000 0000 1000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 ∆Y19 **** 0000 0000 0000 **** 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 ∆Z19 *000 *000 0000 0000 *000 *000 0000 0000 *000 *000 0000 0000 *000 *000 0000 0000 ∆W19*000 *000 *000 *000 *00* *00* *000 *000 *00* *00* *000 *000 *000 *000 *000 *000 ∆I20 **** 0000 0000 0**0 **** 0000 0000 0**0 **** 0000 0000 0000 **** 0000 0000 0000 ∆X20 **** 0000 0000 0**0 **** 0000 0000 0**0 **** 0000 0000 0000 **** 0000 0000 0000 ∆Y20 **** 0000 0000 **** **** 0000 0000 **** **** 0000 0000 0000 **** 0000 0000 0000
⊕∆k0 **** 0000 0000 **** **** 0000 0000 **** **** 0000 0000 0000 **** 0000 0000 0000 ∆C *00* *00* *000 *000 *00* *00* *000 *000 *00* *00* *000 *000 *00* *00* *000 *000
The attack procedure is as follows:
1. Data Collection. Encrypt 2nstructures, in each of which, plaintexts traverse in nibbles 1,
5 and fix value in the rest nibbles. There are 28plaintexts in a structure which causes to 215 pairs. For the ciphertexts, the adversary chooses the pairs that satisfy the output difference in table 6. There remains 2−25(= 215×2−40) pairs.
2. Key Recovery.
(a) Guess 8-bit keys k0⊕P−1(f1(k1))[1,5], encrypt the 1-st and 5-th nibbles of plaintexts partially, and sieve 28pairs whose S-box output difference∆Y1[1] =∆Y1[5] = 0x8, which makes 2−33pairs remain.
(b) Guess k0[1,4,5,8,9,13] one by one(here, we can obtainP−1(f1(k1))[1,5]), decrypt the corresponding nibbles of ciphertexts partially and verifies if the difference of the decrypt-ed nibbles is ∆X20[1,4,5,8,9,13]=****, 0**0, ****, 0**0, ****, ****. The probability is 1, 2−2, 1, 2−2, 1, and 1 respectively. There remains 2−33×2−4= 2−37pairs.
(c) Decrypt the remaining pairs throughL−layer. According to Observation 3 and 4, the probability satisfied the conditions∆Z19 is 2−12(= 2−2×2−2×2−4×2−4). Therefore, there remains 2−37×2−12= 2−49pairs.
(d) Guess 40-bitk0[2,3,6,7,10,11,12,14,15,16] and 8-bit (M◦P)−1(f20(k1))[1,5]. Decrypt the remaining pairs, and check if the output difference of∆X19[1,5] is 0x8, respectively. On average 2−49×2−8 = 2−57 pairs data remains. Here, we guess 64-bitk
0 and 16-bit information ofk1in all.
(e) Exhaustively search the rest 48-bit information ofk1which are not guessed in the former steps.
In order to distinguish the right key from the wrong ones, we expect two pairs satisfy our related-key differential path which require n to be 26 since the probability of our differential path is 2−32. In this way, about 2−31 pairs expected to left for the wrong keys.
Complexity analysis. For the data collection step, there requires 226 ×28 = 234 chosen
requires 28×2×2−7×224×1/20 = 221.7 encryptions. Step (c) only executes linear layers, we omit here. Step (d) requires 232×2×2−23×248×1/20 = 253.7 encryptions. In step (e), there are 48-bitk1 which are not guessed, so it requires 248 encryptions.
Therefore, the attack requires 234 chosen plaintexts and 253.7encryptions.
6
Conclusion
According to observing the key schedule algorithm and linear layer of PRIDE, we find 8 2-round iterative key differential characteristics which can be used to construct 18-round related-key differentials for block cipher PRIDE. Then, we also give 4 2-round iterative related-related-key differential characteristics with∆g(1)r (k1,2) = 0x80 and 4 2-round iterative related-key differential
characteristics under 3 weak-key classeses with 2126.4or 2122keys. Based on one of the related-key differentials, we attack on full PRIDE using 239chosen plaintexts and 260encryptions. Moreover, by using multi related-key differentials, we can improve the cryptanalysis which requires 241.4 plaintexts and 244 encryptions. Besides, by using the 17-round related-key differentials, the complexity of the cryptanalysis is 234plaintexts and 253.7encryptions. These are the first results on full PRIDE.
References
1. M.R. Albrecht, B. Driessen, E.B. Kavun, G. Leander, C. Paar, and T. Yalcin. Block ciphers - focus on the linear layer(feat. PRIDE). In J.A. Garay and R. Gennaro, editors,CRYPTO 2014, volume 8616 ofLecture Notes in Computer Science, pages 57–76. Springer, Berlin, 2014.
2. R. Beaulieuand, D. Shors, J. Smith, S. Treatman-Clark, B. Weeks, and L. Wingers. Performance of the SIMON and SPECK family of lightweight block ciphers. Technical report, National Security Agency, 2014.
3. E. Biham. New types of cryptanalytic attacks using related keys.J. Cryptology, 7(4):229–246, 1994. 4. E. Biham and A. Shamir. Differential cryptanalysis of DES-like cryptosystems. J. Cryptology,
4(1):3–72, 1991.
5. A. Biryukov, O. Dunkelman, N. Keller, D. Khovratovich, and A. Shamir. Key recovery attacks of practical complexity on AES-256 variants with up to 10 rounds. In H. Gilbert, editor,EUROCRYPT 2010, volume 6110 of Lecture Notes in Computer Science, pages 299–319. Springer, Berlin, 2010. 6. A. Biryukov and D. Khovratovich. Related-key cryptanalysis of the full AES-192 and AES-256. In
M. Matsui, editor, ASIACRYPT 2009, volume 5912 ofLecture Notes in Computer Science, pages 1–18. Springer, Berlin, 2009.
7. A. Bogdanov, L.R. Knudsen, G. Leader, C. Paar, A. Poschmann, M.J.B. Robshaw, Y. Seurin, and C. Vikkielsoe. PRESENT: An ultra-lightweight block cipher. In P. Pailier and I. Verbauwhede, editors,CHES 2007, volume 4727 of Lecture Notes in Computer Science, pages 450–466. Springer, Berlin, 2007.
8. J. Borghoff, A. Canteaut, T. G¨uneysu, E.B. Kavun, M. Knezevic, L.R. Knudsen, G. Leander, V. Nikov, C. Paar, C. Rechberger, P. Rombouts, S.S. Thomsen, and T. Yalcin. PRINCE- A low-latency block cihper for pervasive computing applications-extended abstract. In X. Wang and K. Sako, editors, ASIACRYPT 2012, volume 7658 of Lecture Notes in Computer Science, pages 208–225. Springer, Berlin, 2012.
9. O. Dunkelman, N. Keller, and A. Shamir. A practical-time related-key attack on the KASUMI cryptosystem used in GSM and 3G telephony. In T. Rabin, editor,CRYPTO 2010, volume 6223 of
Lecture Notes in Computer Science, pages 393–410. Springer, Berlin, 2010.
11. J. Kelsey, B. Schneier, and D. Wagner. Key schedule crypt-analysis of IDEA, G-DES, GOST, SAFER, and Triple-DES. In N. Koblitz, editor, CRYPTO 1996, volume 1109 of Lecture Notes in Computer Science, pages 237–251. Springer, Berlin, 1996.
12. L. Knudsen, G. Leander, A. Poschmann, and M. Robshaw. PRINTcipher: A block cipher for ic printing. In S. Mangard and F.-X Standaert, editors,CHES 2010, volume 6225 ofLecture Notes in Computer Science, pages 16–32. Springer, Berlin, 2010.
13. W. Wu and L. Zhang. LBlock: A lightweight block cipher. In J. Lopez and G. Tsudik, editors,
ACNS 2011, volume 6715 of Lecture Notes in Computer Science, pages 327–344. Springer, Berlin, 2011.
14. J. Zhao, X. Wang, M. Wang, and X. Dong. Differential analysis on block cipher PRIDE. Cryptology ePrint Archive, Report 2014/525. http://eprint.iacr.org/2014/525.pdf/.
L0= (L0)−1=
0000100010001000 0000010001000100 0000001000100010 0000000100010001 1000000010001000 0100000001000100 0010000000100010 0001000000010001 1000100010000000 0100010001000000 0010001000100000 0001000100010000 0000100010001000 0000010001000100 0000001000100010 0000000100010001
, L1=
1100000000010000 0110000000001000 0011000000000100 0001100000000010 0000110000000001 0000011010000000 0000001101000000 1000000100100000 1000000000011000 0100000000001100 0010000000000110 0001000000000011 0000100010000001 0000010011000000 0000001001100000 0000000100110000
L2=
0000110000000001 0000011010000000 0000001101000000 1000000100100000 1100000000010000 0110000000001000 0011000000000100 0001100000000010 0000100010000001 0000010011000000 0000001001100000 0000000100110000 1000000000011000 0100000000001100 0010000000000110 0001000000000011
, L3= (L3)−1=
(L1)−1= 0000001100000010 1000000100000001 1100000010000000 0110000001000000 0011000000100000 0001100000010000 0000110000001000 0000011000000100 1000000100000001 0001000000011000 0000100000001100 0000010000000110 0000001000000011 0000000110000001 1000000011000000 0100000001100000 0010000000110000
,(L2)−1=
0011000000100000 0001100000010000 0000110000001000 0000011000000100 0000001100000010 1000000100000001 1100000010000000 0110000001000000 0000000110000001 1000000011000000 0100000001100000 0010000000110000 0001000000011000 0000100000001100 0000010000000110 0000001000000011 0000000110000001
Table 9. PermutationP(x) of Block Cipher PRIDE
x 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 P(x) 1 17 33 49 2 18 34 50 3 19 35 51 4 20 36 52 x 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 P(x) 5 21 37 53 6 22 38 54 7 23 39 55 8 24 40 56 x 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 P(x) 9 25 41 57 10 26 41 58 11 27 43 59 12 28 44 60 x 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 P(x) 13 29 45 61 14 30 46 62 15 31 47 63 16 32 38 64
Table 10. PermutationP−1(x) of Block Cipher PRIDE
